none
MIM Hybrid Reporting Agent Install fails with Event ID 118 / MSI Error status 1603 RRS feed

  • Question

  • We are currently attempting to install the MIM Hybrid Reporting Agent, as detailed here : https://docs.microsoft.com/en-us/microsoft-identity-manager/deploy-use/working-with-identity-manager-hybrid-reporting

    The install fails with Event ID 118 logged in the Application Event log (full details pasted below) "The HTTP request to 'https://policykeyservice.dc.ad.msft.net/clientregistrationmanager.svc/ClientRegistration/d07a5f73-f053-47f7-8aa8-1823d43a0e89/IMMIMSTPDVVW01/cade92aa-1db7-4c02-aabc-bf9830e10992' has exceeded the allotted timeout "

    Proxy access is enabled and the Azure Powershell bits are installed on the server and I am able to connect to the tenant and run various commands to confirm connectivity.

    I've enabled verbose MSI reporting and this seems to be the place where the install ends with error status 1603.

    SI (s) (DC!48) [10:20:23:172]: Creating MSIHANDLE (37) of type 790531 for thread 9800
    CAQuietExec64:  Error 0x80070001: CAQuietExec64 Failed
    MSI (s) (DC!48) [10:20:23:172]: Closing MSIHANDLE (37) of type 790531 for thread 9800
    CustomAction RegisterClient returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
    MSI (s) (DC:E4) [10:20:23:172]: Closing MSIHANDLE (33) of type 790536 for thread 7588
    Action ended 10:20:23: InstallFinalize. Return value 3.

    ...

    ...

    [10:20:28:124]: Windows Installer installed the product. Product Name: Microsoft Identity Manager Hybrid Reporting. Product Version: 4.3.2041.0. Product Language: 1033. Manufacturer: Microsoft Corporation. Installation success or error status: 1603.

    [Further Update...] I have now taken a network trace and can see three attempts to establish a connection to the alias of pks.aadg.windows.net.nsatc.net - aadgc.aadg.windows.net.nsatc.net After the hostname is resolved, there is an attempt to send it a SYN for the first part of a 3 way handshake, none of which gets a response.  After which there is an “ICMP Destination Unreachable” from the firewall. Therefore, these attempts to connect are not going via the proxy but trying to go directly but are blocked by the firewall.  Should these attempts go via the proxy, or is direct connectivity required?

    Is there a recommended method for validating if all the required network connectivity is in place?

    Any suggestions for next troubleshooting steps would be gratefully received...

    Alastair

    -

    Log Name:      Application
    Source:        MIM Hybrid Reporting Monitoring Agent
    Date:          21/11/2016 10:20:23
    Event ID:      118
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      IMMIMSTPDVVW01.devswad.net
    Description:
    Agent.Main;Client activation failed:The request channel timed out while waiting for a reply after 00:01:00. Increase the timeout value passed to the call to Request or increase the SendTimeout value on the Binding. The time allotted to this operation may have been a portion of a longer timeout. The HTTP request to 'https://policykeyservice.dc.ad.msft.net/clientregistrationmanager.svc/ClientRegistration/d07a5f73-f053-47f7-8aa8-1823d43a0e89/IMMIMSTPDVVW01/cade92aa-1db7-4c02-aabc-bf9830e10992' has exceeded the allotted timeout of 00:01:00. The time allotted to this operation may have been a portion of a longer timeout.
    System.TimeoutException: The request channel timed out while waiting for a reply after 00:01:00. Increase the timeout value passed to the call to Request or increase the SendTimeout value on the Binding. The time allotted to this operation may have been a portion of a longer timeout. ---> System ........



    • Edited by Ali_Cain Monday, November 21, 2016 3:07 PM
    Monday, November 21, 2016 11:16 AM

Answers